CVE-2024-23444

Name of the Vulnerable Software and Affected Versions Elasticsearch versions prior to 8.12.x

Description The issue arises when the elasticsearch-certutil CLI tool is used with the csr option to create a new Certificate Signing Request. In this scenario, the associated private key generated is stored on disk unencrypted, even if the --pass parameter is provided in the command invocation. This could potentially lead to credential exposure.

Recommendations For Elasticsearch versions prior to 8.12.x, upgrade to version 8.12.x or later to prevent credential exposure. As a temporary workaround, consider restricting access to the elasticsearch-certutil CLI tool to minimize the risk of exploitation.